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ISE 2.3 - Passive ID & EasyConnect 
Enhancements (/blog/2017/10/7/ise- 
23-passive-id) 


Katherine McNamara (/blog?author=565b775ce4b04cd6ce9c59a3) 


In this post, I'm going to review the PassiveID features of ISE that are new as 
of ISE 2.2 and 2.3. In this particular post, I'll be doing it all from ISE 2.3 but 
bear in mind that you can do all this from ISE 2.2 as well. In ISE 2.0, there was 
a feature added called EasyConnect which utilized WMI logs from the Active 
Directory Domain Controller to check for login events. Based on those login 
events, ISE would make a decision to grant access. This allowed ISE to grant 
network access beyond the typical 802.1x and profiling methods. This 
functioned well but required a LOT of backend work to prepare Active 
Directory to share the WMI logs and if you read my earlier post here 
(http://www.network-node.com/blog/2015/12/24/server-2012-configuration- 
pxgrid-gpo-settings), you will see what I mean The creators of ISE decided to 


revamp this process and create a better way to do this in ISE 2.2 and later. 
With the revamped PassiveID, ISE seeks to solve two problems: 
1) Ensure that EasyConnect is now easier to setup 


2) Have ISE function as the context directory agent for other Cisco and pxGrid 


partners 


For #2, I will expand on that: In the past, ISE had to see an authentication to 
share the user and context information with third party systems via pxGrid. 
This meant that you had to have ISE deployed everywhere to have full identity 
mapping on ISE, other Cisco Security tools, and ISE Ecosystem Partners 
(https://communities.cisco.com/docs/DOC-71292). This was a bit of a 
problem: If the customer is rolling out ISE or it's not deployed everywhere, 
pxGrid really isn't getting a full picture of who is on the network to share with 


other tools. By adding other ways to add identity information to ISE, this 
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solves the problem and allows ISE to share the username-to-1P mapping with 
pxGrid. 


PassivelD is set up through the PassiveID WorkCenter. There are a few tabs I 


want to walk through: 


lily Identity Services Engine 


asco › Context Visibility › Operations > Policy » Administration Y Work Centers 


› Network Access » Guest Access > TrustSec — » BYOD — » Profiler » Posture » Device Administration ~ PassivelD 


e Overview - This is where you can get a list of steps on how to set up 


PassiveID, view the dashboard, and Live Sessions 


T Overview > Providers Subscribers > Certificates Troubleshoot Reports 


кезй Passive Identity Introduction 


Live Sessions Terminal Server Agent, known as providers. Then using Cisco pxGrid servi 
ic о Stealthwatch Firepower Managemen 


Deployment settings Providers 
А Passive Identi G 


on the Deployment page 


+ Active 9 
Quick S * Agents vestigate any issues from the TCP Dump 


your first 
+ Syslog Providers Auditing 
зуу reports about p; 


Certificates 
Check, manage and generate certificates 


e Providers - This is where you set up the "Providers" of the identity 
information. This can be done via Active Directory WMI, an agent that 
runs on the domain controllers, API provider, SPAN port looking for 


Kerberos logins, and syslog providers 


> Overview ~ Providers Subscribers > Certificates Troubleshoot Reports 
Ben 


° 

Active Director 

Active Directory y 
Edit = Add Delete Node View Advanced Tools + Scope Mode 

Agents 

[Г] Join Point Name 4 Active Directory Domain 
API Providers mE TO securitydemo.net 
SPAN 


Syslog Providers 
Mapping Filters 
Endpoint Probes 


e Subscribers - These are the pxGrid "subscribers" who will be receiving 
the identity information from PassiveID. You can also generate self- 
signed certificate here from a built-in pxGrid Certificate Template if 


you're using self-signed certificates for ISE under the Certificate tab 
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> Overview № Providers Subscribers 
ЕЕ 


All Clients Web Clients Capabilities 


Generate pxGrid Certificates 


| want to * 
Common Name (CN) * 


Certificate Template 


Subject Alternative Name (SAN) 
Certificate Download Format * 
Certificate Password * 


Confirm Password * 


Connected to pxGrid ise.securitydemo.net 


Quos  gGon WADedne 


Client Description 


Settings Certificates 
Q@oelete „ Refresh тоа Pending Approval(0) + 


Client Group(s) 


Capabilities(0 Pub, 0 Sub Offline (MPP ANCEPS 


> Certificates Troubleshoot Reports 


LiveLog Settings Certificates 


PxGrid_Certificate_Template Ө 


' 


e Certificates - This tab is useful if you're using a CA-signed certificate 


and you need to import it or issue a CSR for the ISE node. This is the 


same menu as Administration>System>Certificates 


> Overview — > Providers 
System Certificates 

Trusted Certificates 

OCSP Client Profile 
Certificate Signing Requests 
Certificate Periodic Check Settings 
Overview 

Issued Certificates 

Certificate Authority Certificates 
Internal CA Settings 


Certificate Templates 


Subscribers 


"Certificates Troubleshoot ^ Reports 


System Certificates Д For disaster recovery it is recommended to export certificate and private key pairs o 


J Edit ЫЬ Generate Self Signed Certificate ) {elle Import ) @® Export 


Friendly Name Used By 


Not in use 


iin, Portal, 


Authenticatic 


CA-BIND 


Х Delete || JD view 


Portal group tag 


Default Portal Certificate Group 7 


e Troubleshoot - This is a screen where you can do a TCP dump to 


troubleshoot PassiveID issues and that you're getting packets from your 


Providers 


b Overview > Providers 


TCP Dump 


Monitor the packet headers 


Subscribers > Certificates Troubleshoot Reports 


on the network and save to a file (up to 5 Minutes) 
Status ШӘ Stopped Start 


Host Name ise 
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Network Interface | GigabitEthernet 0 M 
Promiscuous Mode © On Of 


Filter 


Example: ‘ip host helios and not iceburg' 


Format Raw Packet Data M 


Dump File 


e Reports - This is where you can generate and schedule reports based on 


PassiveID-related events 


b Overview > Providers Subscribers» Certificates Troubleshoot — Reports 
MÀ 
Export Summary 


Export Summai 
» My Reports P zd 


Reports exported in last 7 days @ 
7 Reports 


~ Passive ID Reports 


© Refresh 
AD Connector Operations 
RENS © Report Exported Exported By Scheduled Triggered On Repository Filter Parameter(s) 
Change Configuration Audit No data found. 


Guen аны Susslans Last Updated: Fri Oct 08 2017 17:12:21 GMT-0700 (Pacific Daylight Time) 


Health Summary 
Operations Audit 
PassivelD 

pxGrid Administrator Audit 
System Diagnostic 


User Change Password Audit 


» Scheduled Reports 


Now that I've laid the groundwork of what each menu consists of, I'm going to 
go back to the Providers tab to explain how to configure some of the different 
options. On this tab, you can see the various provider types. Let's walk through 


the configuration of each: 


Active Directory - This is for joining a domain and configuring WMI on the 
domain controller with easy. If you have not already joined the domain, click 
on the Add button to join ISE to the domain: 


> Overview = Providers Subscribers > Certificates Troubleshoot Reports 
da 


° 


Active Directory Active Directory 


Agents Edit Delete = 4JNode View | Advanced Tools + — Scope Made 


API Providers (O) [Г] Join Point Name a Active Directory Domain 
SPAN Г1 Ар! securitydemo. net 
Syslog Providers 

Mapping Filters 


Endpoint Probes 


After clicking Add, you will need to enter the join point name and domain 
name. It will then prompt you to ask if you would like to join the domain. You 
would need administrator credentials or credentials of an account that can join 


a computer to the domain. 


Connection 


С 
* Join Point Name i 
* Active Directory Domain i 


After ISE is joined to the domain, you will want to navigate to the 


Раѕѕіуе1р tab under the Active Directory domain. 


› Overview ~ Providers Subscribers» Certificates Troubleshoot — Reports 
— 
ө 
Асіна Directoy т Whitelisted Domains Groups Attributes Advanced Settings 
Agents _ — 
* Join Point Name AD1 
API Providers 
* Active Directory Domain securitydemo.net 
SPAN 
Syslog Providers = 
Leave Q Test User Diagnostic Tool Refresh Table 

Mapping Filters 

C TISE Node a | ISE Node Role | Status Domain Controller Site 
Endpoint Probas © П isesecuritydemo.net PRIMARY E Operational AD1.securitydemo.net Default-First-Site-Name 


On here, you would indicate which domain controllers you would like to use 
for PassiveID. You can add new ones or use the existing one you just joined. 
Check the box next to the domain controller that's currently there and click 
Edit. 


» Overview ^ Providers Subscribers > Certificates Troubleshoot Reports 
сааи 
ө 
Active Directory Connection Whitelisted Domains | Groups Attributes Advanced Settings 
Agents PassivelD Domain Controllers 
API Providers 1 Selected 
SPAN E 
© Refresh @ Trash — AddDCs Use Existing Agent Config WMI Add Agent 
Syslog Providers 
Mapping Fiters # Domain DC Host Site IP Address Monitor Using 
Endpoint Probes %  securitydemo.net AD1.securitydemo.net Default-First-Site-Name 10.1.100.40 WMI 


On the pop-up, you would want to ensure that a domain admin account's 
username and password is configured and choose WMI from the dropdown. 
The next thing that you would do which is brilliant because it took a LOT of 
the manual work out of it is click Configure right next to WMI. This will 
cause ISE to reach out to the domain controller you selected and make the 
changes necessary to view the WMI logs. This greatly simplifies a task that 


used to be incredibly tedious. 


> Overview = Providers Subscribers > Certificates Troubleshoot Reports 
ЕЕ 


ө 
Active Directory Connection Whitelisted Domains Groups Attributes Advanced Settings 
Agents PassivelD Domain Controllers 
API Providers 1 Selected 
SPAN = = 

© Refesh PO Edt | fü Trash — Add DCs Use Existing Agent Config WMI Add Agent 

Syslog Providers 
Mapping Filters * Domain DC Host Site IP Address Monitor Using 
Endpoint Probes 8 — securitydemo.net ADI. securitydemo.net Default-First-Site-Name 10.1.100.40 WMI 


After you configure it, you can click the button next to it to test that it works. 


You should get a popup saying it works. 


The connection was tested on 'ise.securitydemo.net' PassivelD active node. 
Connection to 'AD1.securitydemo.net' established successfully. 
Windows version is 'Win2012R2', NetBIOS domain is 'SECURITYDEMO', Query for history events succeeded. 


Now let's say you don't want to use WMI and would rather use an agent? That's 


fine. Close out of the popup window and click on the Add Agent button. 


> Overview ^ "Providers Subscribers > Certificates Troubleshoot Reports 
— 


LJ 
Active Directory Connection Whitelisted Domains Groups Attributes Advanced Settings 
Agents. PassivelD Domain Controllers 
API Providers 0 Selected 
SPAN 

© Refresh Edit Trash Add DCs Use Existing Agent Config WMI | Add Agent 

Syslog Providers 
Mapping Filters Domain DC Host Site IP Address Monitor Using 
Endpoint Probes £j securitydemo.net AD1.securitydemo.net Default-First-Site-Name 10.1.100.40 ум! 


A new pop-up box will come up with the option to deploy ап agent to the 
domain controller. You would need to give the FQDN of the domain controller 
and administrator credentials. After you do so, you would click the Deploy 


button and ISE would silently install it on the domain controller to run as a 


service in the background. 


Agents 


© Deploy New Agent © 


Register Existing Agent © 


Name * 


Description 


Host FQDN * 


User Name * 


Daeeunrel * Oba Manane 


After you have deployed the service, edit the domain controller again in the 


same window: 


Connection Whitelisted Domains | Р E Groups Attributes Advanced Settings 
PassivelD Domain Controllers 
1 Selected 
© Refresh fü Trash Add DCs Use Existing Agent Config WMI Add Agent 
* Domain DC Host Site IP Address Monitor Using 
w|  securitydemo.net AD1.securitydemo.net Default-First-Site-Name 10.1.100.40 WMI 


From the popup window, choose Agent under Protocol and choose the name of 


the agent you previously deployed. Then click Save. 


Edit Item 
Edit Domain Controller 
Host FQDN AD1.securitydemo.net 


Description 


User Name * administrator 
Password 


Protocol | Agent 


Agent * AD1 


Whether or not you decide to use WMI or an Agent, the deployment is made 


very simple compared to having to manually change registries and do a ton of 


backend work on your domain controllers. Not to mention the risk of human 


error that's involved. If you've followed my instructions up to this point, 


navigating to Work Centers>PassiveID>Overview>Live Sessions and you 


should see authentications coming in from endpoints that aren't just 


authenticating to the network via 802.1x. 


Introduction Refresh Every 1 minute Y Show Latest 20 records ¥ 


Dashboard 
Live Sessions 
Initiated Updated Session Status Action Endpoint ID Identity IP Address Endpoint Profile 


Oct O7, 2017 12:25:25 260 AM Authenticated ‘Show Actions 10110021 


OPM OctO7, 2017 12:21:16 769 AM Started ‘Show CoA Actions — BUAAT7 97 7750 BO AAT? 9777 5C 101100102 Cisco-AP-Aironet-3700 


57.649. АМ Oct 07, 2017 12:31:57 649 AM Authenticated ‘Show Actions 0110040 Admini 10110040 


Ос 03, 2017 06:3353752РМ Oct 06, 2017 10:30:26.012PM — Started Show CoA Actions 5C20556527E 86 5С:2055527Е:Б6 101100101 Cisco-AP-Aironet-3600 


Postur 


Note: In order to use EasyConnect, you would need to deploy a PassiveID 
provider using either WMI or the Agent. All other forms of PassiveID are 
used just for sharing context information between various other systems 
with pxGrid. 


Agents - This is just another tab where you can deploy the agent or you can 
download it to register it manually later. This can also be done from the Active 


Directory screen. Since we configured it both ways above, I won't rehash the 


same thing. 
> Overview = Providers Subscribers > Certificates Troubleshoot Reports 
uH: 
е 
Active Directory Agents 
Agents 
API Providers Refresh + Add Duplicate Ú Trash t @ Download Agent — (9 Upload Agent 
SPAN © 
Name Host Monitoring 
Syslog Providers 
ADI ad1.securitydemo.net 


Mapping Filters 


Endpoint Probes 


API Provider - This is so one can gather user identity information from 
another application that might be running somewhere in the environment and 
sharing information via a REST API with ISE. The user information should be 


sent via JSON and include the following information: 


e Username 
e IP Address 
e Port range 


• Domain 


To configure it, you would configure the IP or FQDN of the application and the 
username and password for the REST API. 


> Overview ~ Providers Subscribers > Certificates Troubleshoot Reports 
NT 


e 
Activa Directory API Providers » New 
Agents API Provider 
API Providers 
ple! Name * 
SPAN 
Syslog Providers Description 
Mapping Filters 
Endpoint Probes & 
Status * | Enabled M 
Host FQDN / IP * 
User Name * 
Password * Show Password 


SPAN - This would have to be enable on a specific NIC port on ISE that you 
specify and it would be looking for Kerberos messages from the switch. 
Probably the best way to make this scalable is to filter what type of packets 
would be spanning to ISE's interface. The important things that ISE needs to 


see 15: 


e Username 
e IP address 


e Domain 
> Overview ^ "Providers Subscribers > Certificates Troubleshoot Reports 
= 


ө 


Active Director: 
у SPAN 
Agents 
API Providers 
Description 
SPAN 


Syslog Providers 


Mapping Filters Status * | Enabled M 


Endpoint Probes Select an active interface NIC that will be dedicated to SPAN 


Check the interface NIC is active via the command line interface 
If a node is not listed, check that PassivelD has been activated for that node on the Deployment page 


Interface МС ise 
GigabitEthernet 0 
GigabitEthernet 1 
GigabitEthernet 2 


© GigabitEthernet 3 


Syslog Providers - This one is a fun one because there's almost no limit to 
what you can configure as a syslog provideras long as the syslog message is 


sending the following details: 


e Username 
IP address 
MAC address 


e Domain 


Thankfully, the creators of ISE made it easy to use common syslog providers 


by adding templates of common syslog formats from familar systems: 


> Overview ^ "Providers Subscribers > Certificates Troubleshoot Reports 
[LG A&XÉ 


ө 
дайа Directory Syslog Providers > New 
Agents Syslog Providers 
API Providers * 
Name 
SPAN 
Syslog Providers Description 
Mapping Filters 
Endpoint Prob: 
ndpoint Probes Status* | Enabled M 
Host FQDN * 
Connection Type * Ы 


Template * A e New 


Aerohive 


Default Domain 
Bluecat 


BlueCoat Main Proxy "» 


BlueCoat Proxy SG 
BlueCoat Squid Web Proxy 
ISE 


Lucent QIP m 


But in the event that does not work for you, you can click New and add your 


own syslog template for whatever system you are using. 


Syslog Template 


Name * 
Test Template 


Mapping Operations Paste one line of syslog 


New Mapping * 
Removed Mapping 


User Data 


IP Address * Ба 
Data Identified 


User Name User name 
IP Addr 


Domain 
Domain MAC Address 


MAC address 


Now that we've gone through the majority of the providers, you can understand 
a little better how to send information to ISE for identity mapping. I've taken 


the below picture from the ISE configuration guide to illustrate it a little better: 


Subscribers 
Cisco Cisco Firepower 
Stealthwatch Management Center (FMC) 


Subscribe Subscribe | Notify 


Endpoint Still there? 
Probe 


WMI/WinRM/ 
Адем 


Providers 

LDAP, and other 

external identity 
stores 


Active Directory 


Domain InfoBlox + IPAMs Secure Web 


Gateways 


Controllers 


Image Source (https://www.cisco.com/c/en/us/td/docs/security/ise/2- 
3/admin guide/b ise admin guide 23/b ise admin guide 23 chapter 01110.html#id 31516) 


Now that we've gone through the configuration of PassiveID, let's move onto 


our next subject that ties into it... 


EasyConnect 


EasyConnect is an option for enterprises who want to authenticate uses before 
granting access but do not want to utilize 802.1x. It's another option or tool in 


the toolbelt of ISE. There are pros and cons to this approach: 
Pros: 


e No supplicant configuration to make it work 

• No PKI needed 

e CoA is done AFTER user authenticates to ISE 

e You can configure this as a fallback to 802.1x is you want. It's definitely 


not an all-or-nothing approach 
Cons: 


e Access is largely restricted post-login or at least the default ACL is a bit 
more liberal than you might be comfortable with 

e Only supports Windows endpoints at the moment 

e Does not see a "logoff" event from Microsoft Server. ISE knows the 
session has ended either by the endpoint disconnecting from the network 
(RADIUS session ends) or another user initates a new login to the 


endpoint 


Again, there is no hard and fast rule you can only run PassiveID or 802. 1x. If 
you are deploying ISE and have a mixed environment, you can have PassiveID 


be your fallback method. 


Now we are going to configure basic EasyConnect. In my deployment, I've 


already configured the AD service which is running on my AD controller as 


you can see here: 


Programs and Features 


nd then click Uninstall, Change, or Repair. 


E Microsoft Visual C++ 2008 Redistributable - x64 9030... Microsoft Corporation apo 
= "n uano 482MB 
uano 


® Fewer detais 


Cisco Systems, Inc. Product version: 22036 
ze 179MB 


For the purposes of this configuration, I am going to spare the switch and basic 
ISE configuration. Nothing has changed from previous posts in regards to that. 


I'm just going to walk through the policy setup for EasyConnect. 


First I am going to navigate to Policy2 Policy Sets and create a new Policy Set 
in ISE 2.3 by clicking the + button: 


Раку Sets | Pong Posus Ghent Provisioning- » Policy Bement 
Policy Sets 
[t] эз Potcy setnome Description Condtions Alowed Protocols /Server Sequence Hits Actions Мем 


Q9 DEVE Location EQUALS All Locations#Secutty Demo Lab 
© — SecuityDemoLab Wired AND Default Network Access ul au = > 
Kd. DEVICE Device Type EQUALS AN Device TypestSvitches 


© озш Оный poy set Ко M 


For my top-level condition for this policy set, I'm going to choose 


Device:Device Types equals Switches and just use Default Network Access. 


Click Save and then go into the newly created policy set. 


Policy Sets 
+ Status Policy Set Name Hit 
4 © мейт fe DEVICE Device Type EQUALS All Device TypestiSwilches. Default Network Acce ПЫ Ж © › 
® DEVICE Location EQUALS Al Locat rity Demo Lab 
Q)— SecuityDemoLab Wired AND Default Network Acce “Шш u ы › 
Ed DEVICE Device Type EQUALS All Device Types#Swiches 
© он Оныд policy set Оной Network Acce „ш. о > 


For the Authentication policy, we're going to choose Wired_MAB as the 
condition and Internal Endpoints (essentially anything seen by MAB) as the 
endpoint group. Remember: We're not authenticating via the network - we're 


waiting to see an authentication event via Active Directory. 


Policy Sets =» Wired Test « 
Status Policy Set Name Description Conditions ‘Allowed Protocols / Server Sequence Hits 
© Wired Test Ed DEVICE Device Type EQUALS Ай Device TypesttSwitches Default Network Acc "- 


d^ © ws Wired as 


Under the Authorization Policy, I'm going to create a condition of 
PassiveID_Groups EQUALS ADI :securitydemo.net/Users/Domain Users to 
look for authentication for anyone part of the Domain Users group as part of 


PassiveID. 


Next, click the + button next to Results Profiles to create a new Authorization 


Profile on the fly. 


V Authorization Policy (2) 


„ Ө Domain User Ы Parton Разані Groupe EQUALS ADI secuitydemo nett 


On the Authorization Profile, name it whatever you would like and then check 
the box next to Passive Identity Tracking to indicate this will be used with 


PassiveID. Then choose whatever common tasks you want. 


Add New Standard Profile x 


Authorization Profile 


* Name 


Description 


"Access Туре [access ACCEPT 


Network Device Profile ils Cisco | + 


Senice Template 


Track Movement 


Passive Identity Tracking ¥ 2 


+ Common Tasks. 
# DACL Name [PERMIT AL TRAFFIC ©] 

ACL (Filter-ID) 

‘Security Group 


VLAN 


+ Advanced Attributes Settings 


Gay 


Under that authorization rule, create a rule with the condition of Wired_MAB 
and grant it enough access to login to AD. In this case, I just created an 
Authorization Profile to allow enough access to login to AD and checked the 
box again for Passive Identity Tracking in the Authorization Profile. In the end, 


this is what my authorizationrules looked like: 


Status Rule Name Conditions Profiles Secunty Groups Hits Actions 


d Равни PassivolD_Groups EQUALS ADI securtydemo neVUsers/Domain Users Domain User Access * x LI 


Wires wae ‘Computer Access + -+ 


DenyAccess + "+ 


сэєэ 


After you have saved the policy set, you should be able to test ош a login 
attempt and first see the endpoint profiled and getting AD access and then 
move to user access after a successful login. This is a screenshot of another 


deployment I did showing the successful login. 
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I loved this feature and surely want to give a try to this one. I hope this 


will improve the performance of the network 


Masy 6 years аро · 0 Likes 


Thanks Katherine for amazing explanation , 
esayconnect & BYOD can be done on a same ISE box ? 
Thanks 


Paul 6 years ago · 0 Likes 


Informative article Katherine. Especially, I am about to provide a 
solution for one of my clients who prefer to implement 802.1x 


authentication. 


It is easy and simple! No doubt about it. However, as you have 
mentioned it only supports Windows endpoints. So, laptops and PCs 
should be fine. However, the client has CCTV camera, printers, video 
conference devices etc. I am thinking to use EasyConnect for windows 
users and machine and authenticate mentioned devices with MAB. It 
should still work as they will have MAC entries in ISE? Some Ricoh 
printers are able to do 802.1x as well and now am in DMZ to adapt the 


solution :-) 


Sure, avoiding PKI and supplicant saves heaps of time but have you 


researched or have any thoughts on how vulnerable this solution is? 


Thanks 
Paul 


Katherine McNamara с years ago · о 


Likes 


I actually think PKI and supplicants are easier and come with 
less caveats. EasyConnect has it's own complexities and I don't 
like it for large scale deployments personally since it doesn't see 


the logoff event. 


As far as your other devices, I would use profiling instead of just 


straight MAB. that'd be much more secure 


kaleel 7 years ago · 0 Likes 


Hi Katherine, thanks for the detailed write up, answered a few questions 
I had already...but as always I have a few more that 1 hope you can 
answer :) 

Do you know (or is there documentation regarding) the permissions 
required on the AD account when setting ISE up for WMI or the agent? 
What are the pros and/or cons of using WMI vs an agent? 

How 'safe' is installing an agent on a DC or allowing ISE to configure a 
script for WMI? I know it'll cause a small panic attack with some 
clients when i say "I just need a domain account so ISE can go to your 


DC and run a quick script..." 


Thanks again 
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ISE 2.3 - New Policy Sets Khawar Butt's CCIE Training 
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sets) butts-ccie-security-v5-review) 


